Skip to content

Security: yoosuf/SuperApp

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.x

Reporting a Vulnerability

We take the security of SuperApp seriously. If you believe you've found a security vulnerability, please follow these steps:

  1. Do not open a public GitHub issue
  2. Email security details to security@superapp.dev
  3. Include as much information as possible:
    • Type of vulnerability
    • Steps to reproduce
    • Affected versions
    • Potential impact

You should receive a response within 48 hours. If not, please follow up.

What to Expect

  • We will acknowledge receipt within 2 business days
  • We will investigate and provide an estimated timeline for a fix
  • We will notify you when the vulnerability is fixed
  • We will credit you in the security advisory (if desired)

Disclosure Policy

We follow a 90-day disclosure deadline. We ask that you give us 90 days to address the issue before any public disclosure.

Security Features

  • Multi-tenancy: Tenant ID enforced on every DB query, cross-tenant isolation at repository level
  • Authentication: JWT with short-lived access tokens (15min) + refresh token rotation
  • Authorization: RBAC with fine-grained permissions (resource:action pattern)
  • Data encryption: Passwords hashed with bcrypt, sensitive data encrypted at rest
  • Audit logging: All mutating operations logged (immutable, append-only, 90-day retention)
  • Feature flags: Admin-only API for flag toggles, tenant-isolated overrides
  • Rate limiting: Redis-based sliding window, configurable per endpoint

There aren't any published security advisories